-1

For the below series of instructions, is an exit possible? Which instruction can potentially cause an exit and which kind of exit? What'd be the reason for the particular type of exit?

da3bd <mystery>:
da3bd:  4c 33 1c 24             xor    (%rsp),%r11
da3c1:  49 89 d0                mov    %rdx,%r8
da3c4:  49 89 c9                mov    %rcx,%r9
da3c7:  4d 85 c0                test   %r8,%r8
da3ca:  75 11                   jne    da3dd
da3cc:  48 c7 c7 16 6c 00 00    mov    $0x6c16,%rdi
da3d3:  48 c7 c0 74 a6 6d 81    mov    $0x816da674,%rax
da3da:  0f 79 f8                vmwrite %rax,%rdi
da3dd:  9c                      pushf
da3de:  58                      pop    %rax

Assuming the page contains a mystery function running in CPL0 and the page containing addresses such as 0xda000 – 0xdafff is present in memory with all page tables configured.

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
rish
  • 1
  • 1

1 Answers1

2

Note, this chart only applies to the specific code in the question. It is not a general description of the types of exits that can occur for these types of instructions.

Instruction type Possible VM exits
1 reg,reg
reg,imm
jmp short		 debug exception
MTF
VMX timer
external interrupt
NMI
INIT
SMI
2 memory read same as #1
EPT violation
EPT misconfiguration
page fault exception
stack segment exception
double fault exception
triple fault exception
3 memory write same as #2
PML full
4 the first instruction in the function same as #2
interrupt window
NMI window
5 vmwrite same as #1
vmwrite

Obviously most of these are not "caused by" the specific instruction.

prl
  • 11,716
  • 2
  • 13
  • 31
  • 1
    It's interesting that none of these can cause #GP, despite it being the most common catch-all exception for a variety of different types of errors. – prl Oct 07 '21 at 01:39
  • 1
    Oh right, with a register other than `%rsp` or `%rbp`, a non-canonical address in `xor (%reg), %r11` would #GP. But since it is RSP, that would #SS, like for push or pop. – Peter Cordes Oct 07 '21 at 02:01
  • Code fetch on later instructions could fault if a host interrupt handler evicted this code page (e.g. after a context switch in the host/hypervisor). That wouldn't be the first vmexit of the function, though. Can the hypervisor also single-step the guest with TF in EFLAGS, or with `dr0..7` debug registers for HW breakpoints / watchpoints? If so, that could vmexit at any otherwise innocent instruction. – Peter Cordes Oct 07 '21 at 02:37
  • @Peter, yes, I added debug exception in row 1. OP said the instruction page is mapped, so I accepted that as given (and unchanging). – prl Oct 07 '21 at 03:22
  • Agreed with that interpretation, I just missed that part of the question. Clearly a much better (or at least less bad) question than [the deleted one from another user yesterday](https://stackoverflow.com/questions/69443463/which-of-these-commands-will-cause-a-vmexit). – Peter Cordes Oct 07 '21 at 03:55